You are not logged in.
I recently found out that, instead of just modifying the original references to Debian and its repositories in the original Debian installer, the developers of Devuan decided to "heavily modify" the installer, and add proprietary firmware to it.
With the result of this being that, the installer is reportedly buggy, and (as I said) installs proprietary firmware on your computer.
(https://dev1galaxy.org/viewtopic.php?pid=8292#p8292)
Well, the reason why I chose Debian above all other distros, was exactly because I didn't want either (1) serious bugs or (2) anything proprietary on my OS, by default.
So, I would just like to know...
Are all Devuan-derivative distributions completely based on Devuan's original code, including that of the Devuan installer?
Or are there some that still use, and modify, parts from the original Debian code instead, including the installer?
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
I believe Star and Crowz use the Debian installer. I'm not sure how modified the installer is. I could be wrong, but I think Star doesn't include contrib and non-free...but don't quote me on that. Same with Crowz.
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
Thanks.
I will look into it.
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
I recently found out that, instead of just modifying the original references to Debian and its repositories in the original Debian installer, the developers of Devuan decided to "heavily modify" the installer, and add proprietary firmware to it.
With the result of this being that, the installer is reportedly buggy, and (as I said) installs proprietary firmware on your computer.
Please stop spreading FUD about Devuan. If you want to criticize something, by all means, do so. But, please, make an attempt to get the facts together instead of constantly mingling legitimate concerns with suggestive statements and allegations towards the Devuan project. The kind of suspicion-driven speculation you've been rolling out in this forum right from your first post is taking everyone's time away for no good reason (including yours).
Last edited by msi (2018-04-17 01:02:13)
Offline
msi has a good point.
By the way, I experienced no buggy installer behavior when I installed Devuan Jessie last year or Devuan Ascii back in March. There were no contrib or non-free packages on my system after either installation.
Devuan is as committed to free software as Debian. Just remove contrib and non-free from your /etc/apt/sources.list and use vrms to find any packages you don't want. It really is as simple as that.
Last edited by GNUser (2018-04-16 19:14:09)
Offline
Gnuinos is another one that uses debian-installer, has all free software and uses a libre kernel.
Refracta and Exegnulinux have all free software but use a different installer.
Offline
msi,
I'm not spreading FUD about Devuan (or, at least, that's not my intention). I'm just exposing a very serious concern that I have, with a very specific aspect of one of its components. And, the reason why I do this, is because I would really like to adopt this distribution.
(Eitherwise, I wouldn't even bother participating in this forum, and would just leave for another distribution - which I don't want to, because this distribution is almost a *perfect* one for me, with the exception of what I call people's attention to.)
And, I'm not the kind of person who speaks or writes with so-called second intentions (as people say, in my native language) - and, therefore, I don't come here to make "suggestive statements".
As for "allegations", when I say that the installer is buggy and installs proprietary firmware, that's not me claiming that. I'm repeating what was said to me in another thread in here, by someone who (from what I understood) is involved in the creation of such installer. That is, I'm stating facts - not making allegations.
As for me being suspicious about proprietary software, I believe I've made very good points about, and given very good facts as base for, such concern of mine on other threads - so, I completely disagree that such concern is for "no good reason"...
Also, if I repeat the same arguments or facts in different threads, that's because I have to, in order to explain the different kind of questions I raise on those different threads. I cannot assume (or, above all, expect) that other people have read all my posts in other threads or subforums. And, I believe that the proper way to pose my questions, or raise my concerns, is to write them under the assumption that each one will be the only one that a person will read from me.
And, I really am sorry, if I end up being annoying because of all this...
But, my situation is that, the main reason why I adopted GNU/Linux as my main OS, was because I wanted to have a secure OS. And, therefore, I really don't like anything that might pose a risk (as I see it) to that same security.
And, I have very good reasons to worry about my computer security. Since, (besides having myself witnessed very strange things happening in non-secure computers that I had) what happens to other people who have the same (or similar) kind of political activity that I have, and who don't take the same kind of precautions I take, are things like this: https://www.youtube.com/watch?v=5utlGvodeAM#t=9m21s
[EDITED: Or, wait, I think I know of what you are specifically (also) talking about - and, I will therefore add another explanation shortly...]
I suppose you were referring to what was said in the first thread I created in here, and also to something I've said in a subsequent thread I created. And, also to clarify things on my side,
The bug you pointed me to didn't concern (at least, specifically) the situation I was describing. Since that, such bug is related to an "expert install" where one is given the option of "selecting" repositories. And, what happens to me, is when I do a regular (net) installation, where I'm not even asked about what repositories do I want to use or activate.
And, the fact that such bug doesn't correspond to my (specific) situation - together with what I said on my first thread, as to not believing or understanding how could what was happening to me be a sort of "bug", if Debian's original installer didn't have it - was the reason why, in a subsequent thread I created, I described the situation as "supposedly or reportedly because of some 'bug'".
I was not "suggesting" anything - but instead (clearly) implying something - with that. I was just (honestly, as is my costum) describing the situation as I see it (i.e. that this problem might have been wrongly identified as a bug or not). With the situation being that, I still cannot understand how this problem can be the result of some "bug", properly said - or, at least, as I understand one to be (i.e. an unintended flaw created by the necessary modification of a component, instead of something that was just deliberately and consciously added). But, I've quit trying to understand this, and just moved on...
Last edited by Fernando Negro (2018-04-16 22:41:42)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
I wanted to have a secure OS.
http://forums.debian.net/viewtopic.php? … 65#p671040
OpenBSD Puffy.lan 6.3 GENERIC.MP#173 amd64
Offline
Just remove contrib and non-free from your /etc/apt/sources.list and use vrms to find any packages you don't want. It really is as simple as that.
Not quite. Since that, if my concern about this is related to security,
(As I explain in the following post) If I let the installer first install anything proprietary, by then (i.e. after the installation) such security might have already been compromised: https://dev1galaxy.org/viewtopic.php?pid=8382#p8382
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
msi,
As for "allegations", when I say that the installer is buggy and installs proprietary firmware, that's not me claiming that. I'm repeating what was said to me in another thread in here, by someone who (from what I understood) is involved in the creation of such installer. That is, I'm stating facts - not making allegations.
You're probably referring to the following that I said in another thread:
I don't know much about the inner workings of the debian-installer, but what little I know confirms that it's an ugly hairball.
I was referring to difficulty working with the code to modify it. The devuan installer works surprisingly well. I don't think the rate of bugs in the beta installer is much different from what I've seen in debian over the years.
I'm not working on the installer other than to test it. Any time I've tried to include it in a live iso (with live-build) I failed. I hate the damned thing and don't know why you want to use it, but I respect your preference in installers (and we intend to keep it working, so don't worry about that.) I know more about the installer in the live isos.
I also said:
I agree that the user should be alerted to the fact that their hardware might require non-free firmware, they should be given the choice to install it or not, and the appropriate repositories should be included in sources.list.
We're working on that. Testing installers takes time.
Offline
siva,
Hi there.
(I see that such thread in the Debian forums really didn't pass unnoticed to you.) eheh
I understand that the BSD-family of distros might be even more secure than the GNU/Linux one. But, nevertheless, I would still like to stick with GNU/Linux - so that I can, once in a while, also play a (completely free) game or two, to unwind from intellectual work (like this one: https://www.etlegacy.com/).
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
Nothing like violence to unwind. Good grief . . .
Offline
Hello, fsmithred.
Yes. You were the one I was referring to (or thinking about) when I mentioned someone that (from what I had understood) was somewhat involved in the creation of Devuan's installer.
Thank you, very much, for your clarification - and, also for all that extra information. It's great for me to know that you're all planning to keep using Debian's installer.
The reason I like it so much (the non-graphical "netinst" variant, that is) is because, one thing I've always liked (very much) in computers and elsewhere is simplicity. And, with a Debian "Net Install", I have
1) a really fast (non-graphical) installer, that can run fast on any computer,
2) one that doesn't need a graphical environment to be loaded before starting (speeding up the process, again) and
3) one that, after the installation - because it has already downloaded, from the Internet, the more recent version of all the packages chosen (instead of older ones, present in the installation media) - doesn't require me to loose any more time with such installation, by having to update the system at the end of it.
(Three things, in total, that this particular installer does to make the installation process a very quick - and simple - one.)
And, yes, I noticed (and also remember very well) that you said on that other thread that you're working to solve the problems, or contradictions, that I had presented.
I didn't say it there, but I'll take the opportunity to thank you here, and very much, for that.
Best regards.
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
Ever consider a walk in the woods or on the beach?
Offline
Gnuinos is another one that uses debian-installer, has all free software and uses a libre kernel.
Refracta and Exegnulinux have all free software but use a different installer.
Hello again, fsmithred.
Indeed, Gnuinos is (for the reasons you've stated) the most interesting Devuan-based distro I've come across (and, one in which all my security concerns with proprietary software are eliminated). But, unfortunately, they don't have a stable release yet...
But, yes. Either Gnuinos or an undoubtedly safe installation of Devuan should be my choice.
I will look also into those other two derived distros, the first one of which I didn't know about. Thank you very much for your tip.
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
Here's a suggestion . . . do you know that devuan has no-systemd version of tails?
https://heads.dyne.org/about.html
That might suit you perfectly.
Offline
I'm not interested in anonymity - only in security.
And, the "Tor" network (created and funded by the US government itself: https://trisquel.info/en/forum/how-use- … ment-26792) doesn't provide anonymity, anyway: https://twitter.com/BlackFerdyPT/status … 8218624000
There's no such thing as anonymity on the Internet. Since that, the Internet itself was created by the US government as a tool for surveillance (http://forums.debian.net/viewtopic.php? … 60#p670674). And, even if you use strong encryption, the US government has ways of decrypting it (https://www.youtube.com/watch?v=PZQXxUmROIU#t=1h8m25s - with this last interview having been made to a former US Naval Intelligence officer himself).
(But, as always, when I talk to people who are not aware of this, feel free to believe whatever you want...)
Last edited by Fernando Negro (2018-04-17 18:31:01)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
Geesh . . . I was just trying to help but that will likely be the last time.
Just something to think about . . . very few things in this world are under our 'control'. The control that we do have is in the mind that perceives the uncontrollable. There is truth in what you say but it has taken you down quite a rabbit hole. Please stop trying to pull us in with you. Wasted bits and bytes . . .
Offline
I'm not trying to pull anyone towards anywhere.
I just have the habit of, whenever I claim something that goes against what people believe to be true, present the proofs or basis of my claims, so that anyone can know where I come from (i.e. that I'm not just making things up) and make their own judgement about what I say. And, when responding what I did to you, I again felt the need to present arguments for my claims. That's it.
Besides, I think I've already presented every concern that I have with any aspect of this particular distribution (Devuan). So, I don't expect to post anything in here more that might be upsetting to somebody.
[EDIT: I will then just put a "strike through" on top of the last two paragraphs in that last post of mine, since they're unnecessary, in this case, to argument my personal scepticism about the "Tor" network. P.S. - Thank you, anyway, for your tip - and, also for all your help.]
Last edited by Fernando Negro (2018-04-17 18:35:44)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
crunkbong (my project) is intended to focus on security, mostly through minimalism. I'm one step away from updating the kernel to 4.15.x for full meltdown mitigation (still deciding whether or not to use liquorix). The biggest issue I foresee you having with it is proprietary wifi drivers, which are the only proprietary components, and can be easily disabled or uninstalled before any network connection is established. (I'm actually trying to determine the best way to address this, btw, and I'm open to suggestions.)
If you're daring enough to boot it, and can post tangible findings regarding any proprietary-firmware-based exploits, I'd definitely love to hear back.
Not that I recommend it for daily use, aside from (I guess) being a sensible base, but it uses refractainstaller -- can't remember if this is the "default" devuan installer that this conversation is criticizing. Alternatively, one could easily manually partition a disk and debootstrap a base system. This process isn't far removed from using apt, as far as I can tell.
http://dev1galaxy.org/viewtopic.php?id=1976
Last edited by siva (2018-04-17 19:12:07)
Offline
This thread is not about criticizing Devuan's installer (I've created another thread for that: https://dev1galaxy.org/viewtopic.php?id=1984). This thread is only about something that I would really like to know, in case Devuan's installer ends up, nevertheless, being/becoming something I'm not comfortable with using.
Concerning suggestions about how should the installer deal with proprietary Wi-Fi components, the best way to do it, in my opinion, is exactly what Debian does. That is, to not include anything proprietary in the installation media, but allow it to be added during the installation, only if the user really wants to and knows what s/he's doing - https://dev1galaxy.org/viewtopic.php?pid=8402#p8402 - so that the installation of such proprietary components cannot happen by accident, either
(1) because of the user pressing a wrong key, or even
(2) because of some bug, that inadvertently causes a proprietary package (included in the installation media) to be installed.
(In sum, Debian's approach to proprietary software, from a "paranoid about such type of software" point-of-view, allows the installation to be very close to 100% secure. This being the reason why I'm just looking for a Devuan equivalent to such Debian installer.)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
This thread is not about criticizing Devuan's installer...I've created another thread for that
They're honestly all blurring together at this point.
That is, to not include anything proprietary in the installation media, but allow it to be added during the installation, only if the user really wants to and knows what s/he's doing
I think a few of the users made it very clear that the devuan installer gives you the option; therefore, a user who "knows what s/he is doing" should have no issues, well, doing. I'll echo the "user error" caveat.
I foresee some possible solutions:
a) use a libre devuan spin and manually install your system: partitioning, deboostrapping, etc.
b) rewrite the debian installer and share.
c) step B, and release it on your own devuan spin
Honestly, it sounds like option C is your best bet, as it implies the best of A and B. If you're building it from scratch (a deboostrapped build), then you can be pretty much 99.99% certain that your software is as secure as it can possibly get (the final .01% is for our friends at the NSA -- I know you're watching, Carl, so stop sending people to eat my dried kale leaves when I leave for work). In addition, it sounds like you'll have some fans who will benefit from a revised, libre-oriented installer. It sounds like your mindset could be of huge value to this community, if it were supported with software contributions. You should reach out to miroR, as well.
Last edited by siva (2018-04-17 19:47:41)
Offline
Not that I recommend it for daily use, aside from (I guess) being a sensible base, but it uses refractainstaller -- can't remember if this is the "default" devuan installer that this conversation is criticizing. Alternatively, one could easily manually partition a disk and debootstrap a base system. This process isn't far removed from using apt, as far as I can tell.
Nope. Refractainstaller is not devuan's default installer. We were talking about the debian-installer (that's the name of the package) which installs packages either from online repositories or from the media. Refractainstaller is used in the devuan live isos, but it doesn't install any packages - it just copies the running live system to the hard disk.
I handle wireless firmware in Refracta by including the packages in the iso. There no possibility of accidentally installing them - they must be installed manually with dpkg or gdebi.
Offline
. . . a revised, libre-oriented installer.
There has been talk recently (not related the current rants which most of the devs won't even see) about Devuan releasing a 'Libre' version possibly for Ascii in addition to what is now offered. The various components are scattered here and there. Just need to be collected and glued together. Unfortunately, most of us lack the skills to help with that so it remains on the to-do list . . .
Offline
Hello again, siva.
Concerning the installation of proprietary components,
When I say that it should be made sure that "the user really wants to and knows what s/he's doing", what I mean by this is that,
(I have been introduced to Debian a long time ago - and so, I don't know now to what extend did Debian use to do something in this regard, on its wiki pages - or if it was Ubuntu that, in its first releases and documentation, made this clear about repositories... But, even if they didn't originally,)
The correct way to deal with this issue, in my opinion, (besides having the proprietary components not included in the installation media, for more security) is to have, on the instructions of how to add proprietary components, in the part that describes how to activate the necessary repositories, a preceding warning/indication, where it's (explicitly) stated something like:
By activating these repositories, you are making it possible to install software of which the source code is unknown - and, in relation to which, there are consequentially no guarantees that it is secure, or that it is rid of any sort of spyware or malware.
So that, when using the installer, instead of a novice to GNU/Linux just (unreflectively) choosing "Yes" (to quickly move on with the installation) to a mere question about if s/he wants to add a proprietary component, s/he is instead forced to read such a warning in the instructions of how to do this, and be educated (i.e. warned) about the important issue in question.
And, as a side note,
Having a distribution that behaves like Debian does right now, is also a way to please both the "purists", who only want to use Free Software, and the people who care less about this issue. Since that, unless a user modifies him/herself the "sources.list" file, Debian is practically just like any other fully "libre" distribution. And, those who want to use proprietary components and software can also use them in the same distribution. (With this also practically eliminating the need for people to create, and maintain, a separate fully "libre" variant of the same distribution.)
Concerning what I can do, to help (in practical terms) with such an installer, or with a possible mirror,
Unfortunately, I don't know how to properly program (besides basic stuff), and also don't have the time to involve myself in the creation and maintenance of a mirror (too much important stuff to deal with already, in my volunteer "citizen journalism" activity, on my free time). So, I'll have to stick to making small donations, so that other people who know how to do this kind of stuff can do it instead.
But, my "contribution" to this particular subject of the installer can then be the simple suggestion that, the best thing to do, in my opinion, (besides getting rid of systemd and its dependencies, and adjusting other packages to the absence of such) is to just modify Debian's original installer in the parts where it refers to "Debian", instead of "Devuan", and in those where there are links to the original mirrors - and, just leave all the rest as it is.
Debian is already a great distribution in itself. So, there's no need to modify anything about it, in my opinion (besides removing the systemd component). Also, from the name "Devuan" that's what I think that everyone is also expecting (i.e. for this distribution to be just a "Debian without systemd").
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline